#11037 closed (duplicate)
Support HTTPOnly cookie for HttpResponse.set_cookie
| Reported by: | hvendelbo | Owned by: | nobody |
|---|---|---|---|
| Component: | HTTP handling | Version: | master |
| Severity: | Keywords: | ||
| Cc: | Triage Stage: | Design decision needed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | UI/UX: |
Description
Most browsers has some support for HTTPOnly cookies. It provides some protection against XSS attacks.
http://www.owasp.org/index.php/HTTPOnly
I've added another optional parameter to the set_cookie method. I also figured that it should be possible to make the sessionid use the flag.
Attachments (1)
Change History (4)
comment:1 Changed 5 years ago by mattmcc
- Has patch unset
- milestone 1.1 deleted
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
- Triage Stage changed from Unreviewed to Design decision needed
comment:2 Changed 5 years ago by mrts
- Resolution set to duplicate
- Status changed from new to closed
Duplicate of #3304. Please search the existing ticket list before submitting new tickets.
Changed 5 years ago by hvendelbo
comment:3 Changed 5 years ago by hvendelbo
I did search for httponly and set_cookie, didn't find anything
Anyway, I added a couple of doctests for HttpResponse that might be useful
Note: See
TracTickets for help on using
tickets.
It's too late for new features in 1.1.